Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46852
Backport the patch that is referenced by the NVD advisory.
The test extension was not backported, because the modified testcase
does not exist in the recipe version yet.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37622
Pick the patch from the PR referenced by the NVD advisory.
Note that the regression test is not part of this patch,
as no patchtool could apply it in do_patch task.
The test patch was however manually applied during preparing
this patch, and all tests were executed successfully.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37621
Backport the patch that is referenced by the NVD advisory.
The regression test contains a binary patch, that couldn't be applied
in the do_patch task. Due to this the test was not backported. It was
however applied manually and executed successfully during the preparation
of this patch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37620
Pick the patches from the PR that is referenced by the NVD advisory.
Two notes:
1. The regression test contains a binary patch, that couldn't be applied
in the do_patch task. Due to this the test was not backported. It was
however applied manually and executed successfully during the preparation
of this patch.
2. The commit changes some "unsigned" types to "size_t", which is not
included in this backport. They were already done by another patch (the
one for CVE-2021-34334).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37619
Pick the patch from the PR referenced by the NVD advisory.
Note that the regression test is not part of this patch,
as no patchtool could apply it in do_patch task.
The test patch was however manually applied during preparing
this patch, and all tests were executed successfully.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37618
Pick the patch from the PR that is referenced by the NVD advisory.
Note that the regression test was not backported, because it contains
a binary patch, that I couldn't apply with any of the patchtools
in the do_patch step. Before submission however I have applied the
patches, and ran all the tests successfully.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37615https://nvd.nist.gov/vuln/detail/CVE-2021-37616
Backport the patches from the PR that is referenced by the NVD advisory.
Both CVEs are fixed by the same PR.
Note that the patch that added a regression test is not included. This
is because it contains a binary patch, which seems to be impossible
to apply with all patchtools during do_patch. Though it is not included
in this patch, it was applied manually during prepration, and all ptests
(including the new regression test) passed successfully.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982
The vulnerability is about a privilege escalation, in case
the host distribution sets CAP_SYS_NICE capability on the
gnome-shell binary.
OE distros don't do that, and due to this this recipe is not
affected by this issue. The CVE is ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-44038
The main point of the vulnerability is that the application
comes with its own systemd unit files, which execute chmod and chown
commands upon start on some files. So when the services are
restarted (e.g. after an update), these unit files can be tricked
to change the permissions on a malicious file.
However OE does not use these unit files - the recipe comes
with its own custom unit files, and chown/chmod isn't used
at all.
Due to this, ignore this vulnerability.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
There is no reason to apply them only to single version when they apply
properly to all versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
It contains Security fixes for CVE-2026-2003, CVE-2026-2004,
CVE-2026-2005, CVE-2026-2006 and CVE-2026-2007.
It also contains other bug fixes and for more details refer Release note.
0001-configure.ac-bypass-autoconf-2.69-version-check.patch
refreshed for 14.21
Release notes: https://www.postgresql.org/docs/release/14.21/
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-38171
This is the same as CVE-2021-30860, but that one was primarily filed
against Apple software (and some other related projects).
The patch that fixes this vulenrability is already added to the recipe,
just extend its CVE tag
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dd81ffdb68)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
While using devtool to check available versions, I noticed a 301 http error.
Specifically :
$ devtool latest-version libxfce4ui
Resolving archive.xfce.org (archive.xfce.org)... 217.70.191.87
Connecting to archive.xfce.org (archive.xfce.org)|217.70.191.87|:80... connected
.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://archive.xfce.org/src/xfce/libxfce4ui/4.20/ [following]
With this patch, we change to make the SRC_URI an https request.
A similar patch is already in master - commit 8089168196
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
oe-core has a newer version of xserver than this recipe used to compile
TigerVNC with. This recipe updates xserver to the same version, 21.1.18.
TigerVNC only started to support this xserver version 2 versions later,
with 1.13. Due to this 3 commits were backported that add the missing
changes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Gyorgy Sarvari
Hitendra Prajapati
Chen Qi
Peter Marko
Ankur Tyagi
Zahir Hussain
Jason Schonberg
Rohini Sangam
Vijay Anusuri